﻿On Tuesday we covered a disturbing story from the New York Times and ZDnet.com detailing how some of the country's largest cellular providers have been selling your real-time location information, allowing a Texas-based prison technology company, Securus, to track any phone "within seconds" - all without a warrant - through an intermediary called LocationSmart.

Now, as KrebsOnSecurityreports, in addition to a story from Motherboard on a hacker which had broken into the Securus servers and stolen the usernames, email addresses, phone numbers and other information of 2,800 users - mostly law enforcement, it turns out that a flaw in LocationSmart's tracking demo website gave anyone the ability to surveil anyone else's cell phone on the open web.

Several hours before the Motherboard story went live, KrebsOnSecurity heard from Robert Xiao, a security researcher at Carnegie Mellon University who’d read the coverage of Securus and LocationSmart and had been poking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out its mobile location technology. -KrebsOnSecurity

The demo, which has since been taken down, was a free service that would give anyone the approximate location of their own cell phones by entering their name, email address and phone number into a form. LocationSmart's service would then text the supplied phone number and request permission to ping that device's nearest cellular tower. Once consent was obtained, the service would then reveal the subscriber's approximate latitude and longitude on a Google Street View map.

As Krebs notes, "It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information."

But according to Xiao, a PhD candidate at CMU’sHuman-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”

Xiao's tests showed that he could easily command LocationSmart's service to ping the closest cell phone tower to a subscriber's mobile device. He says he checked a friend's cell phone number multiple times over a few minutes while that friend was moving - and he was able to manually plug the provided coordinates into Google Maps to track his directional movement.

“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one TelusMobility mobile customer in Canada who volunteered to be found. (Krebs)

Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.

One of the queries "came within 100 yards of their then-current location" says Krebs, while another was 1.5 miles away. The remaining participants in the test say that the results were accurate to approximately 1/5 to 1/3 of a mile at the time.

When Krebs reached out to LocationSmart Founder and CEO Mario Proietti, he said that the company was investigating.

“We don’t give away data,” Proietti said. “We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”

It’s not clear exactly how long LocationSmart has offered its demo service or for how long the service has been so permissive; this link from archive.org suggests it dates back to at least January 2017. This link from The Internet Archive suggests the service may have existed under a different company name — loc-aid.com — since mid-2011, but it’s unclear if that service used the same code. Loc-aid.com is one of four other sites hosted on the same server as locationsmart.com, according to Domaintools.com. -KrebsOnSecurity

***

Last week Sen. Ron Wyden (D-OR) sent a letter to the FCC demanding an investigation into Securus, after the New York Times revealed that former Mississippi County sheriff Cory Hutcheson used the service almost a dozen time to track the phones of other officers, and even targeted a judge.

Between 2014 and 2017, the sheriff, Cory Hutcheson, used the service at least 11 times, prosecutors said. His alleged targets included a judge and members of the State Highway Patrol. Mr. Hutcheson, who was dismissed last year in an unrelated matter, has pleaded not guilty in the surveillance cases. -NYT

Hutcheson has pleaded not guilty to charges of unlawful surveillance.

How did this happen?

How is it that LocationSmart obtained real time location data on millions of Americans? Moreover, who else has access to that information?

Kevin Blankston, director of New America's Open Technology Institute told ZDNet in a phone call that the Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It does not restrict carriers from disclosing information to other companies - a loophole Blankston calls "one of the biggest gaps in US privacy law."

"The issue doesn't appear to have been directly litigated before, but because of the way that the law only restricts disclosures by these types of companies to government, my fear is that they would argue that they can do a pass-through arrangement like this," he said.

LocationSmart, a California-based technology company, is one of a handful of so-called data aggregators. It claimed to have "direct connections" to cell carrier networks to obtain real-time cell phone location data from nearby cell towers. It's less accurate than using GPS, but cell tower data won't drain a phone battery and doesn't require a user to install an app. Verizon, one of many cell carriers that sells access to its vast amounts of customer location data, counts LocationSmart as a close partner. -ZD Net

LocationSmart boasts coverage of 85 percent of the country due to its relationships with major US carriers - including Virgin, Boost, MetroPCS and US Cellular, along with Canadian providers Rogers, Telus and Bell.

We utilize the same technology used to enable emergency assistance and this includes cell tower and cell sector location, assisted GPS and cell tower trilateration," said a case study on the company's website.

"With these location sources, we are able to locate virtually any US based mobile devices," the company claimed. The precise location of a target can be returned in as little as 15 seconds, according to a different study.

ZDNet reached out to carriers for comments. What follows is their responses:

Sprint spokesperson Lisa Belot said the company shares personally identifiable location data "only with customer consent or in response to a lawful request such as a validated court order from law enforcement."

Sprint said the company's relationship with Securus "does not include data sharing," and is limited "to supporting efforts to curb unlawful use of contraband cell phones in correctional facilities."

When asked the same questions, Verizon spokesperson Rich Young provided a boilerplate response regarding Securus and would not comment further.

"We're still trying to verify their activities, but if this company is, in fact, doing this with our customers' data, we will take steps to stop it," he said.

AT&T spokesperson Jim Greer said in a statement: "We have a best practices approach to handling our customers' data. We are aware of the letter and will provide a response." Our questions were also not answered.

A spokesperson for T-Mobile did not respond by our deadline.

"It's important for us to close off that potential loophole and that can easily be done with one line of legislative language," said Bankston, "which would also have the benefit of making every other company careful about always getting consent before disclosing your data to anyone."

Senator Wyden has called on each carrier to stop sharing data with third parties - arguing that it "skirts wireless carriers' legal obligation to be the sole conduit by which the government may conduct surveillance of Americans' phone records."